WhatsApp Business Privacy Settings: 7 Must-Enable

I switched Mursa's customer support number to WhatsApp Business in October 2024. Within the first month, three customers asked whether their conversations with us were private and what we did with their messages. These are legitimate questions, and the honest answer depends partly on how the whatsapp business privacy settings are configured and partly on how Meta handles the data behind the scenes. I had not actually checked our settings beyond the defaults.

Spending two hours auditing and hardening the privacy settings turned out to be one of the highest-leverage things I did that month. Customer trust improved, our privacy policy got accurate (more on policy in the next post in this series), and I sleep better knowing that a stolen phone or a curious onlooker cannot trivially access our customer conversations. This guide is the configuration I now recommend to every Mursa customer who runs whatsapp business privacy through their company.

Note: this guide is about the consumer WhatsApp Business app, not the WhatsApp Business Platform API. The API has its own configuration model managed through Business Solution Providers, with whatsapp business privacy settings configured through a different admin panel. The app is the free download from your phone's app store that turns your personal-number-style messaging into a business-styled experience.

Setting 1: Turn Off Read Receipts (For Outbound, Not Inbound)

Read receipts (the blue double-checkmarks) tell the sender exactly when you opened their message. For a business, this creates uncomfortable dynamics — customers can see that you read their question at 11 AM and have not replied by 3 PM, and they reasonably wonder why. Turning off read receipts on your business account removes the pressure of visible non-response and gives you room to triage messages without appearing to ignore them.

Path: WhatsApp Business → Settings → Privacy → Read receipts → toggle off. Once disabled, you do not send read receipts when you read messages, and you also do not receive read receipts when others read your messages (this is symmetric — you cannot turn off your own without losing visibility into theirs). Group chats always show read receipts regardless of this setting; the toggle only affects one-on-one conversations.

Tradeoff: customers cannot see that you read their message, which on rare occasions causes them to think the message did not deliver and re-send it. In practice this is uncommon and the privacy benefit outweighs it. For internal team coordination you may want read receipts on; for customer-facing communication you almost always want them off. If you have separate work and personal WhatsApp accounts on different numbers, configure them differently.

Setting 2: Restrict Last Seen and Online Status

Last Seen tells anyone who can see your profile when you last opened WhatsApp. Online status shows in real time when you are actively in the app. Both are public by default — meaning literally anyone who knows your number can see when you are around. For a business, this is uncomfortable surveillance: customers can tell whether you are at your desk right now, which sets weird expectations about response time.

Path: WhatsApp Business → Settings → Privacy → Last seen and online → Last seen → choose Nobody (recommended for business accounts) or My Contacts. Then back to the Last seen and online screen → Who can see when I'm online → choose Same as last seen. After this configuration, customers can no longer see when you were last in WhatsApp or whether you are currently active. They see only your messages, which is the only information that should matter.

Tradeoff: this is symmetric in a different way. If you set Last seen to Nobody, you also cannot see anyone else's last seen — your privacy gain costs you visibility into others. For a business this is fine because you do not need to monitor customer last-seen times anyway. For mixed-use accounts the tradeoff is more meaningful and you may prefer the My Contacts setting which still hides last seen from strangers (including new customers) while keeping it visible for people you already know.

Setting 3: Hide Profile Photo From Non-Contacts

Your WhatsApp profile photo is visible by default to anyone who knows your phone number, regardless of whether they are in your contacts or whether you have ever messaged them. This is a privacy leak that surprises most people — scammers and stalkers regularly use this default to verify whether a number belongs to a specific person before targeting them.

For business accounts the calculation is slightly different because you presumably want potential customers to see your business logo or branded profile photo. But you may not want your personal photo (if your business account uses one) exposed to every stranger who knows the number. Path: WhatsApp Business → Settings → Privacy → Profile photo → choose Nobody, My Contacts, or My Contacts except. For a business with a logo, leave it on Everyone. For a business that uses a personal photo, set to My Contacts or My Contacts except specific people you want to exclude.

Similar setting and similar logic: About (your status text under your name). Path: Settings → Privacy → About → set audience. About is less sensitive than profile photo but still leaks information (motivational quote, location hint, mood). Default it to My Contacts unless your About is intentional marketing copy you want everyone to see.

Setting 4: Restrict Status to Specific Contacts

WhatsApp Status (the 24-hour disappearing photo/video posts) is by default visible to all your contacts. For a business account that has thousands of contacts (every customer who ever messaged you), this is a privacy disaster — a personal status update intended for friends gets broadcast to every customer in your contact list. Many WhatsApp Business owners have learned this the hard way when a personal weekend photo showed up in customer chats.

Path: WhatsApp Business → Settings → Privacy → Status → choose My Contacts except (exclude all your customers) or Only share with (include only specific people). For a business account, Only share with is the safer setting because you maintain an explicit allowlist rather than trying to maintain an exclusion list as new customers come in. If you do not post business-related Status updates, the safest setting is Only share with → empty list, effectively turning off Status broadcasting.

An alternative many businesses use: a separate WhatsApp Business account on a different number entirely, with no overlap with personal contacts. This requires either a dual-SIM phone, a second physical phone, or companion mode (covered in the Multi Device post in this series). The cost is more device management; the benefit is a cleaner separation between business and personal Status, Privacy, and contact lists.

Setting 5: Enable Two-Step Verification With a Memorable PIN

Two-step verification adds a six-digit PIN that WhatsApp requires when registering your phone number on a new device. Without it, a SIM-swap attack (where an attacker convinces your carrier to port your number to their SIM) gives them full access to your WhatsApp account. With two-step verification, even after a SIM swap the attacker needs your PIN to register, which they do not have.

Path: WhatsApp Business → Settings → Account → Two-step verification → Turn on → choose a six-digit PIN you will remember → optionally add a recovery email (recommended). The PIN is asked occasionally even on your existing device (about every two weeks for me) as a memorization check. The recovery email is used if you forget your PIN — without it, forgetting your PIN can lock you out of your account for seven days.

Choose a PIN that is not your phone PIN, not your birthday, not a sequence (123456). For most people the right move is a six-digit number unrelated to any other PIN you use, stored in a password manager. The 30 seconds it takes to enable two-step verification is the single most cost-effective security improvement for any WhatsApp account — business or personal. SIM-swap attacks have become more common in 2024-2026 and this is the primary defense.

Setting 6: Enable Screen Lock With Face ID, Touch ID, or PIN

WhatsApp Screen Lock requires biometric authentication (Face ID, Touch ID, or fingerprint) every time you open the app. Without it, anyone with access to your unlocked phone can open WhatsApp and read every conversation — including coworkers who borrow your phone, partners, family members, or anyone who finds your phone briefly unattended.

Path on iOS: WhatsApp Business → Settings → Privacy → Screen Lock → toggle on → choose the lock timeout (immediately, after 1 minute, after 15 minutes, or after 1 hour). On Android: Settings → Privacy → Fingerprint lock → toggle on → similar timeout options. The immediate timeout is the most secure; the longer timeouts are more convenient if you frequently switch between WhatsApp and other apps. I use 1 minute as a compromise.

This is essential for a business account that handles customer messages. Customer conversations are confidential and you do not want a phone left briefly on a desk to expose them. Combined with your phone's own lock screen, screen lock on WhatsApp adds a second layer of authentication specifically for messaging that even an unlocked-phone scenario cannot bypass.

Setting 7: Default Disappearing Messages to 90 Days for New Chats

Disappearing Messages automatically delete messages from a chat after a set duration. WhatsApp supports 24 hours, 7 days, and 90 days. Setting this as the default for new chats means every new conversation you start has disappearing messages enabled from the first message — without having to configure it per-chat.

Path: WhatsApp Business → Settings → Privacy → Default message timer → choose 24 hours, 7 days, or 90 days. For most businesses, 90 days is the right setting: long enough to refer back to recent customer conversations for context, short enough that years-old data does not pile up indefinitely. It also dramatically simplifies your data-retention story for compliance — if a regulator asks how long you retain customer messages, the answer is up to 90 days after which they auto-delete, which is much cleaner than indefinitely.

Tradeoff: customers' messages also disappear from the chat for them after 90 days, which can be confusing if they later look for past conversation history. Address this in your initial customer interaction: when a new customer messages you, send a quick note that conversations auto-delete after 90 days for privacy, and recommend they save any important details on their end. This transparency builds trust rather than confusion.

What Meta Still Collects After You Configure Everything

The seven settings above harden your account against humans (curious onlookers, scammers, stalkers, ex-employees). They do not harden your account against Meta itself. WhatsApp messages are end-to-end encrypted, meaning Meta cannot read message content — that part is genuinely private. But Meta still collects metadata that paints a detailed picture of your business: who you message, when you message them, how often, message volume, group memberships, profile data, phone model, IP address, and approximate location.

For business accounts specifically, Meta also collects: business category, business description, business hours, catalog data (if you use WhatsApp Business catalogs), and aggregate messaging statistics. This metadata is shared across Meta's products (Facebook, Instagram, Meta Ads) per their privacy policy. There is no setting you can toggle to opt out of metadata collection — the cost of using WhatsApp Business is that Meta knows the metadata of every conversation you have through it.

If metadata privacy matters for your business (e.g., you handle clients who would be harmed by their identities being known to a third party), WhatsApp may not be the right tool. Signal, which collects far less metadata, is an alternative for some use cases — though it lacks the customer-acquisition benefit of WhatsApp's 2.4 billion users. This is a strategic tradeoff every business has to make consciously rather than by default.

Where Mursa Fits: Customer Messages as Tracked Workflows

Once your WhatsApp Business privacy is hardened, the next problem is making sure you actually respond to customer messages reliably. The privacy settings above hide presence and protect data; they do not help you remember to follow up. Mursa's [WhatsApp-to-task capture](/solutions/stop-losing-tasks-in-slack) turns customer messages into tracked tasks with due dates, so the second a customer asks something time-sensitive, you can forward it to Mursa, set when to respond, and never lose it in your inbox. This pairs naturally with the privacy-hardened setup — protected customer data plus reliable follow-through equals customer trust on both axes.

[Remote teams](/for/remote-teams) handling customer support through WhatsApp Business benefit doubly: the privacy hardening protects each team member's communication, and shared task workflows ensure no customer message slips through the gap when one team member finishes a shift and another picks up. The combination is more reliable than either alone.

Spending an hour configuring these seven whatsapp business privacy settings is one of the highest-leverage things a small business can do for customer trust and basic security. The defaults are set for adoption, not privacy, and most businesses run on the defaults forever. Be different. Run the audit, enable the seven settings, document the configuration in your operations doc, and re-audit every quarter. Customer trust is built on small visible commitments like this, and the cost is two hours per year. Cheap insurance for one of the most important relationships any business has.